diff options
author | Mårten Nordheim <marten.nordheim@qt.io> | 2017-12-14 11:49:19 +0100 |
---|---|---|
committer | Mårten Nordheim <marten.nordheim@qt.io> | 2018-04-30 11:18:43 +0000 |
commit | 51e14787d5c31a6397dbc43a134397f9bec8c6b3 (patch) | |
tree | 9a249b8a3ca7006c6a1339b577657fd4431102a7 /src/network/access/qnetworkcookiejar.cpp | |
parent | 2677ad78e6a283734aef733581a4ae07f7294ec8 (diff) |
Stop rejecting cookies which have a domain that matches a TLD
... but only if the host it came from is an EXACT match. Also only apply
the cookie if the url is an EXACT match.
[ChangeLog][QtNetwork][QNetworkCookieJar] Cookies will no longer be
rejected when the domain matches a TLD. However (to avoid problems
with TLDs), such cookies are only accepted, or sent, when the host name
matches exactly.
Task-number: QTBUG-52040
Change-Id: Ic2ebd9211c48891beb669032591234b57713c31d
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Diffstat (limited to 'src/network/access/qnetworkcookiejar.cpp')
-rw-r--r-- | src/network/access/qnetworkcookiejar.cpp | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/network/access/qnetworkcookiejar.cpp b/src/network/access/qnetworkcookiejar.cpp index f62a03b11d..2ec4acf26c 100644 --- a/src/network/access/qnetworkcookiejar.cpp +++ b/src/network/access/qnetworkcookiejar.cpp @@ -241,6 +241,17 @@ QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl(const QUrl &url) const if ((*it).isSecure() && !isEncrypted) continue; + QString domain = it->domain(); + if (domain.startsWith(QLatin1Char('.'))) /// Qt6?: remove when compliant with RFC6265 + domain = domain.mid(1); +#if QT_CONFIG(topleveldomain) + if (qIsEffectiveTLD(domain) && url.host() != domain) + continue; +#else + if (!domain.contains(QLatin1Char('.')) && url.host() != domain) + continue; +#endif // topleveldomain + // insert this cookie into result, sorted by path QList<QNetworkCookie>::Iterator insertIt = result.begin(); while (insertIt != result.end()) { @@ -340,6 +351,11 @@ bool QNetworkCookieJar::validateCookie(const QNetworkCookie &cookie, const QUrl if (domain.startsWith(QLatin1Char('.'))) domain = domain.mid(1); + // We shouldn't reject if: + // "[...] the domain-attribute is identical to the canonicalized request-host" + // https://tools.ietf.org/html/rfc6265#section-5.3 step 5 + if (host == domain) + return true; #if QT_CONFIG(topleveldomain) // the check for effective TLDs makes the "embedded dot" rule from RFC 2109 section 4.3.2 // redundant; the "leading dot" rule has been relaxed anyway, see QNetworkCookie::normalize() |